In the world of online gaming, the promise of an “edge” is a powerful lure. However, for Minecraft players, that edge is currently a double-edged sword. A dangerous new infostealer dubbed LofyStealer is circulating under the guise of a popular cheat tool named “Slinky.”
Discovered by researchers at Zenox.ai in April 2026, LofyStealer represents a significant jump in sophistication for gaming-focused malware. Attributed to the Brazilian-based LofyGang organization, this Malware-as-a-Service (MaaS) operation has evolved from simple JavaScript supply chain attacks into a professionalized, multi-stage operation that bypasses traditional antivirus tools with ease.
The Attack Chain: From Slinky to System Takeover
LofyStealer doesn’t rely on a single malicious file to do its dirty work. Instead, it uses a two-stage process designed to slip past modern Endpoint Detection and Response (EDR) systems.
Stage 1: The Node.js Loader
The attack begins when a user runs the fake “Slinky” executable. This file is actually a Node.js-based loader (load.exe). Its primary job is to perform reconnaissance—querying the Windows registry to find every installed browser and preparing the environment for the payload.
Stage 2: Suspended Process Injection
This is where LofyStealer gets technical. The loader identifies a target browser (e.g., Chrome, Edge, or Opera GX) and launches it in a suspended state. While the browser process is “frozen,” the loader injects the second-stage payload, chromelevator.exe, directly into the browser’s memory space.
Evading EDR: The Power of Direct Syscalls
Why doesn’t your antivirus catch this? Most security software “hooks” high-level Windows APIs (like those in KERNEL32.dll) to watch for suspicious behavior.
LofyStealer bypasses these hooks by:
- Direct Syscalls: It resolves low-level functions from
ntdll.dllat runtime. - Kernel-Level Mapping: By using direct system calls to the OS kernel, it avoids the “monitored” high-level functions entirely.
- Process Ghosting: Since the malicious code lives inside the memory of a legitimate browser process, it looks like normal web activity to the operating system.
The “LofyGang” Business Model
LofyStealer isn’t just a one-off script; it’s a commercial enterprise. The LofyGang group operates a “Premium” subscription tier for other cybercriminals, offering:
- A Stealth Builder: A tool called “Slinky Cracked” to create customized malware.
- C2 Dashboard: A professional web panel branded as “LofyStealer V2.0” to manage victims.
- Real-time Exfiltration: Data is stolen, compressed via hidden PowerShell commands, Base64 encoded, and sent to a Brazilian C2 server (IP 24.152.36.241).
What is stolen? The malware targets eight major browsers, exfiltrating cookies, saved passwords, credit card numbers, active session tokens, and even IBANs.
How to Protect Your Gaming Environment
The targeting of a younger audience makes LofyStealer particularly effective, as gamers are often more willing to disable security software to install “mods” or “cheats.”
- Trust No “Cheat”: Never download game utilities from Discord, Telegram, or unofficial file-sharing sites. If a tool uses a game icon but comes from a random link, it is likely a trap.
- Monitor PowerShell Activity: LofyStealer uses PowerShell in “hidden” mode to compress stolen data. Security teams should alert on any
powershell.exe -WindowStyle Hiddenexecution. - Network Blocking: Organizations and home users should block outbound traffic to 24.152.36.241 on port 8080.
- Use Behavioral EDR: Traditional file-based scanning won’t stop in-memory injection. Ensure your security software is configured to detect “Process Hollowing” and “Suspended Process Injection.”
Conclusion: A Professionalized Threat
The transition of LofyGang from NPM package poisoning to sophisticated in-memory browser hijacking marks a new era for gaming malware. LofyStealer is a reminder that the tools we use to “cheat” the game are often designed to cheat us out of our digital identities.
